I have an HTML form inside an iframe that makes a POST request to an AEM servlet. The servlet path is excluded by the Adobe Granite CSRF Filter, and the host making the POST request has been added to the Allowed Hosts in the Apache Sling Referrer Filter. On AEM 18.104.22.168, everything works fine, however when upgrading to 22.214.171.124, the POST request returns a 403 Forbidden response. This is on an Author instance. The following message is seen in the Error log after making the request:
*INFO* [qtp691096566-2507] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
How can I avoid this so the POST request is successful?
Don't do any changes to white list the host or allow anonymous requests. It is not a recommended option and is not best security practice. You can solve your problem by including CSRF framework clientlib on the page where you have created your form. ClientLib category is - granite.csrf.standalone
@vanegi, @BrianKasingli Adding the path to the list of URLs that do not require authentication certainly worked, however it feels like a bit of a workaround. Is there no other way? What has changed in v126.96.36.199? Also I am not sure how I would add a request header from an HTML form.
@ChitraMadan I don't think this is related to the Apache Sling Referrer Filter, the host that makes the POST request has already been added to the Allowed Hosts. I also tried ticking Allow Empty and removing POST from the filter methods but still got the 403.
@kunal23 The granite.csrf.standalone clientlib has already been included on the page, but not inside the iframe. However, I am not sure this issue is related to the CSRF protection, as the servlet path has already been included in the Excluded Paths section of the Adobe Granite CSRF Filter config. I also tried removing POST from the filter methods but still got the 403.